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(57) A unified policy management system for an o - 
ganUonindudingacentr^ 
situated policy enforcers. A central database and po Icy 
enforcer databases storing policy sett.ngs are config- 
ured as LDAP databases adhering to a h.erarch.cal ob- 
•ec oTented structure. Such structure allows the policy 
settings to be defined in an intuitive and extensible fash- 
oTcnanges in the po.icy settings made at the oM 
policy server are automatically transferred to the pohcy 

policy enforcer collects and transmrts health and I status 
information in a predefined log «Tf .^S35 
to the policy server for efficient monrtonng by the policy 
server For further efficiencies, the policy enforcement 



functionalities of the policy enforcers "jJJTjSi 
titioned so as to be readily implemented in ^are. 
The system also provides for dynamically routed VPNs 
w h ereVPN membership lists are automatically created 
and shared with the member po.icy enfo rce^Updates 
to such membership lists are also 
ferred to remote VPN clients. The system further pro- 
vides for ^ grain access control of the traffic m the 
VP^f by allowing definition of firewall rules withm the 
VPN. in addition, olicy server and policy enforcers ; may 
beconfiguredforhigh availability by ma.ntam.ngaback- 

up unft in addition to a primary unit. The backup unit be- 
come active upon failure of the primary unrt. 
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1 

Description 

FIELD OF THE INVENTION 

[0001] The present invention relates to computer net- 
works and more particularly, to devices and methods 
Tor providing efficient, integrated and scalable pol.cy 
management services for remote private networks 
across the Internet. 
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BACKGROUND OF THE INVENTION 

r0OO21 The growth and proliferation of computers and 
comp ter networks allow businesses to efficiently com- 
munteatewiththeirown components as well asw.ththe.r 

business partners, customers, and suppliers. However, 
fhe fSfy and efficiencies provided by such comput- 
ers and computer networks come with ;ncreas.ng nsks, 
including security breaches from outs.de the comora- 
ton accidental release of vital information rem wrth.n 
! and inappropriate use of the LAN, WAN, Internet, or 

SET m managing the growth of computer networks 
as well as addressing the various security .ssues, net- 
work managers often turn to network pol.cy manage- 
ment Services such as firewall protection, Network Ad- 
dress Translation, spam email filtering. DNS caching, 
Web caching. virtual private network (VPN) organ.zat.on 
Z securi* and URL blocking for keeping network 
7rs from accessing certain Web sites through use of the 
organization's ISP. Each policy management serv.ce 
however, generally requires a separate device that 
needs to be configured, managed, and mon.tored. Fur- 
thermore, as an conization grows and spreads across 
multiple locations, the devices maintained also muk.pty 
multiplying the associated expenditures and efforts to 
configure, manage, and monitor the devices. 
X>41 Thesolutiontothisproblemisnotassimpleas 

ust integrating multiple network policy 
unctions into a single device at each locat.cn and a I 
lowing each location to share its policy informatio with 
other locations. In fact, there are many obstacles and 
challenges in adopting such an approach. For example, 
a scheme for specifying and distributing policy manage- 
ment information effectively across remote private net- 
works of an entire organization genera.ty requires a we» 
desiqned object model. The synchronizing of multiple 
dSases in the organization with updates to the po.^y 
management information may also be a complex prob- 
L. Moreover, managing the policy mforma ion eff, 
dently for remote devices across an organize ion may 
p'ese'nt a challenge. Furthermore, collecting logs and 
statistics information from the remote pnvate . networks 
in a large distributed policy management system for e - 
teient analysis and report generation is often a difficult 
aTk Conventionally, only raw packet information s 
,ogged and saved, generally requiring t-me-consummg 
and custom-generated programs to be run on the raw 



data off-line to produce meaningful reports and statis- 
ts] There are other challenges in providing , a u£ 
fled policy managementsystem-Forincreasedbenefrts, 
5 suchunifLdpolicymanagementfunctionsshouldbeim- 
Imented as much as possible in hardware. However, 
implementing policy management on ach J typ.ca.ty n* 
qu "es an efficient design P^'*^^**! 
un'rfied policy management system should allow for ef 
,o cent configuration, management, and lupM , ofvi, 
tual private networks extending over drfferent remote 

ro006] Accordingly, there remains a need in the artfor 
a network management solution that overcomes these 
15 and other obstacles of the prior art. 



SUMMARY OF THE INVENTION 



r0007] The present invention is directed to a un.f.ed 
20 oolicy management system where various polices, 
namely the set of rules and instructions that determ.ne 
h Tnlork=s operation, may be established and en- 
forced from a single site. According to one embodiment 
oZ 'invention, the system includes a f irst edge dev,ce 
25 associated with a first network having a first set oU re- 
sources that is «>nfiguredto manage the pol.c.esforthe 
first network according to the policy sett.ngs stored .n a 
first database. The system also includes a second edge 
device associated with a second network hav.ng a sec- 
30 ond set of resources that is configured to manage he 
o cSs for the second network according to the policy 
settings stored in a second database. The f.rst and sec- 
ond edge devtees act as policy enforcers for their re- 
spective networks. The policies being enforced may in- 
35 elude firewall policies, VPN policies, and the »«. 

TO008] The system further includes a central potey 
serve in communication with the first and second edge 
devices. The policy server is configured to ^define the 
firstand secondpolicy settings and manage the first and 
40 secondedgedevicesfromasinglelocat.on.Thus.anet- 
work administrator need not multiply his or her efforts 
and associated expenditures in configunng and manag- 
ino the policy enforcers individually. 
SU in alternative embodiments, the unified pohcy 
45 managementsystemincludesoneormoreofthefollow- 

rao! 0] tU T^e central policy server may include a central 
databaseforstoringconfigurationinfom.at.onofthepol- 

icy enforcers. The central database as well as the data- 
50 bases associated with the policy enforcers are Light- 
weight Directory Access Protocol (LDAP) databases or- 
ganSd according to a hierarchical object onented 
structure. This structure includes resource objects and 

55 fey enforcers. Such a structure helps simplify po Icy 
management by allowing the various elements of the 
policy management system tobe defined andorganized 
in an intuitive and extensible fashion. 
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room Ac^cordingtooneembodimentoltheinvention, 

Terlu^obje cts inc.ude devices, users, hosts, serv- 
the ^source J „ enfo rcers at the 

iC f ' *? a Z^^**loJneZo«. Each device 

; rrS^Sr. and . host. A host is a network 

^Nsubnet^ 

Sns?Sn tote poiicy enforcers. When the policy en- 
orcSrcele the log of changes, they update their re- 
speSe databases accordingly and indicate to the po- 
Kerver whether the updates have been successful 
Uhev have been successful, the log of changes corre- 
sponding to these policy enforcers are deleted from the 
S d ?htcintra, policy server may further include a 

TO0141 In one aspect of the invention, the set of appli- 
cation Jodu,es includes a centralized «emen 
suHodule for allowing installation and reg-straton of 
^ policy enforcers with the centra, pol.cy server. 
r0015l in another aspect of the invention, the set of 
application modules includes a policy management sub- 
SSr managing and viewing the resource ob.ects 

nresent invention allows on-the-fly monrtonng of the re- 

of the invention over the prior art, which generally col 
SrdonTyrawdataandrequiredthetediousgeneraton 

S^Thefunctionalitiesofthepolicy 
Ethepolic^ 

so bSLedfor effective hardware implementaho^ 
AccorE to one embodiment of the invent.on, each 
2£23i preferably includes a plurality of modules 
SdNJ a classification engine, a policy engine and a 

paSrwardingengine.The ^^T^ 
terminesaprotocolassociated with an .ncommg packet. 



The policy engine makes a forwarding deos.on for the 
lacket based on policy settings associated with the 
packe! The packet forwarding module then forwards 
the packet based on the policy settings. 

5 ro018l I" alternative embodiments, the module may 
ESincludeasecurityengineforauthenticatrngaus- 

« transmitting the packet and/or a statistics module for 

,o S SI 6 " Each of the networks in the system may also 
Sute private networks and each policy enforcer as- 
socS with the private network is configured to create 

a tab e w"" on of ^h 

thmugh the policy -forcer. The table is then shared w.h 

, 5 ne other member policy enforcers m the VPN. T*s al 
lows the creation of VPNs whose member i.sts are dy- 

^nTneTarticular aspect of the invention, the 
communication between the first and second private 
20 nXTks is managed according to a secur.ty pol.cy as- 
sedated he member networks. The secunty pohcy 

to as a VPN cloud, providing a hierarchical organ.zat.on 
of me group. The VPN cloud includes member networks 
o* * users allowed to access the member networks. 
25 ffZSo access to the member ne^ork. 
The hierarchical organization prov.ded by the VPN 
Louds thus allows trie network administrator to create 

30 has full connectivity with every other s.te. The network 
a?m nistrator need no longer manually configure each 
posTbfe connection in the VPN, but only need to create 
a VPN cloud and specify the sites, users, and rules to 
be associated with the VPN. Each connection . hen 
35 configured based on the configuration specified for the 
VPNctoud.^ 

the setup of a VPN with a large number of sites. 
P021 'in another aspect of the invention, he rule n 
he VPN is a firewall rule providing access contro o fte 
40 traffic among the member networks. Such firewall rufcs 
l aSthe administrators have fine grained ^esscor, 
trol over the traffic that flows through the VPN a» within 
the realm of the encrypted access prov.ded by such 

45 ra022] in a further aspect of the invention, a remote 
usefaccesses the member networks from a remote lo- 
S 'l„ usina a r emote userterminal. The terminal is con- 

dynamic membership information from the edge device 
so To which ft is connected. Updates to the membereh,p n 
fon^ationarefurtherautomaticallytransmittedtothere 

mo Te user terminal without requiring reconf.gurat.on of 

rooSrte policy server and policy enforcers, as well 
55 Tomer^orkdevices may also be configured for 
hioh availability by maintaining a second class unrt 

for preventing a single point of failure. In one aspect of 
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the invention, the backup unit is initially In an inactive 
state and later transitions to the active state upon de- 
tection of a failure is the primary unit. 
S lnanotheraspectoftheinvent.on.eachh.gh- 

Sbility device discovers its status as a pnmary ■ «* 5 
a backup unft, or a stand-alone unit (third class un.t) dur- 

ura«on information stored in the databases of the pn- 
„£?rt backup units are synchronized by transition- » 
TngThe first class unit to an active state rece.v.ng , and 
Soring the first database configurat.cn Wn<» 
first class unit, transferring the conf .gurat.on changes to 
tie second class unit, and storing the configuration 
chanq^sonthesecondclassunit.Whenthepnmaryun.t « 

S„ to an inactive state, the backup un.t stores 
the Second database configuration changes on the sec- 
ond class unft: and transfers those changes to the pn- 
mary unit after it re-transitions to the act.ve state. 
S lnstillanotheraspectoftheinvent.onjpdates 

o the primary and backup units, such as software up- 
dates areata, synchronized transmitting the update. n- 
otation to the primary unit, 

transmittingthe updatefrom the pr.ma^ unit to theback 
UD unit and updating the backup unit.Thus, the network 
SstSo'need not duplicate his or her efforts to up- 
date the backup units. 

BRIEF DESCRIPTION OF THE DRAWINGS 

r00271 These and other features, aspects and advan- 
ces of the present invention will be more fully under- 
stood when considered wfth respect to the follow.ng de- 
tailed description, appended claims and accompany.ng 
drawings wherein: 

FIG. 1 is a schematic block diagram of an exempla- 
ry unified policy management system; 

FIG 2 illustrates the hierarchical object-oriented « 
structure of policies stored for an organization in ac- 
cordance with the principles of the invention; 



30 



35 



FIG. 3 is aschematic block diagram of apolicy ^serv- 
er in the policy management system of Fie. i , 

FIG 4 is a schematic diagram of a central manage- 
ment sub-module in the policy server of FIG. 3; 

FIG.5isanexemplaryflowdiagramofadevicereg- » 
istration process carried out by the central manage- 
ment sub-module of FIG. 4; 
FIG eisascreenillustrationofanexemplarygraph- 
ical user interface for registering a device; 

FIG. 7 is ascreen illustration of an exemplary global 
monitor user interface presenting device health and 



status information; 

FIG 8 is a screen illustration of an exemplary graph- 
ical user interface provided by a policy manage- 
ment sub-module in the policy server of FIG. 3, 

FIG 9 is a screen illustration of an exemplary graph- 
ical user interface for managing system devices; 

FIG 10 is a screen illustration of an exemplary 
graphical user interface for managing system hosts; 

FIG 11 is a screen illustration of an exemplary 
graphical user interface for managing system serv- 
ices; 

FIG 12 is a screen illustration of an exemplary 
graphical user interface for managing time groups; 

FIG 13 is a screen illustration of an exemplary 
graphical user interface displaying a plurality of 
VPN clouds; 

c|G 14 is a screen illustration of an exemplary 
graphical user interface for adding a new firewall 
policy; 

FIG 15 is a schematic functional block diagram of 
policy enforcers updating their respective VPN 
membership information; 

FIG 16 is a block diagram of components in a self- 
extracting executable for downloading by a remote 
VPN client; 

FIG 1 7 is a functional block diagram for download- 
ing the self-extracting executable of FIG. 16; 

FIG 1 8 is a schematic block diagram of a policy en- 
forcer in the policy management system of FIG. 1 ; 

FIG. 19 is a more detailed schematic block diagram 
of a policy engine in the policy enforcer of FIG. 1 8, 

FIG 20 is a more detailed schematic block diagram 
of a protocol classification engine of the policy en- 
forcer of FIG. 18; 

FIG 21 is a more detailed schematic block diagram 
of an internet protocol security engine in the policy 
enforcer of FIG. 18; 



FIG. 22 is a schematic layout diagram of a common 
log format according to one embodiment ol the in- 
vention; 

FIG 23 is a block diagram of an LDAP tree structure 
according to one embodiment of the invention; 
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F ,G.24isamoredetailedblockdiagramofabranch 
of the LDAP tree of FIG. 23; 

FIG 25 is a flow diagram for logging and propagat- 
ing LDAP changes to policy enforcers; 

FIG.26isasche m aticblockdiagramofahigha^ 
ability system including a primary unrt and a backup 
unit; 

nr ?7 is a flow diagram of an exemplary status 
olscove; process conducted by a high availability 
unit; 

FIG. 28 is a flow diagram of a process 
ing configuration information synchron.zed ,n the 
primary and backup units of FIG. 26, 

FIG. 29 is an exemplary flow 
the primary and backup units of FIG. 26 when they 
are both functional; and 

FIG 30 is an exemplary flow diagram of updating 
Se primary and backup units FIG. 26 when the pn- 
mary is not functional. 

DETAILED DESCRIPTION OF THE INVENTION 

,. UNIFIED POLICY MANAGEMENT SYSTEM 
ARCHITECTURE 

roo281 FIG 1 is a schematic block diagram of an ex- 

estve muters (generally Identifiec at 1 O^andln- 
ernet Service Providers (ISPs) (not shown). Also cou 
p edto thepublic internet 108 viathe ISPs are web • £ 
112 dial-up network users 114, servers providing 

and local network 1 04 connects users and resources at 
a second location of the organization, such as a branch 
nffiS Furthermore, local network 106 connects users 



tlV,W ! !! t u!' ers that have access to administrative 

fr>r the users and resources of their respective iuv^ 
Ztlc 2 102 To4, as permitted by the policy server 

Ino.of Milpitas, California. 



40 ... OBJECT MODEL FOR NETWORK POLICY 
MANAGEMENT 

ra0331 According to one embodiment of the invention, 
K oolicv Srver database 130 and policy enforcer da- 
the policy server a databases adhering to a 

Svtoa collection of attributes referenced by a drtn- 
Ild n^nefDN) Each of the attributes includes a 
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Network Working Group, March 1 995) and TDAP Pro- 
graming-. Directory-enabied AppW^JJ* 

LDAP database are prefer 
K arranged in a hierarchicai tree-like structure , re lect- 
5w geographic, and/or organization^ bo nda- 
ries Entries representing countries appear atthe top o 
the tree Below them are entries representing states or 
rSioS organizations. Below the states or national or- 
"gSfJmay be entries representing peopk, organ- 

,o«on units Drinters, documents, and the like. 

nS HG 2* a schematic layout diagram of a un.- 
S Irarehteal object oriented structure adhered by 

L™r obiects nor a policy domain object 240. 

?00361 XsLJ in *G. 2 .each object in the struc- 
?eS P reTel.y stored as an LDAP entry. *W * 
he hierarchy is the policy server domam object 2M m 

mlrobjct 240 inciudes a resource root object 20 and 

5S=sS5SSS 

IS is oenerally located in the same local network as 
™TSp. Eliminate the cost of network de- 
penSncy o ne^ork latency during the user ^authent, 
cation process. It should be noted, however that users 

erefromthecustomernetworkioe. These userscontact 

tication back to the appropriate policy enforcer. 
Sffl Hosts 208 are the various networks present in 

l" u e cnecified as a host in the system. Hosts 208 are 
prelerebS Canned based on their physfca, locations 



with the host. 



700391 Services 21 0 reflect the various services pro- 
s Sded by the Policy server 122. Such services .nclude 
2 example, multimedia streaming/conferencing , ,nfor- 
mLtonretrieval. security and authentication, database 
Tp^ons mail applications, routing , app« 
standard communication protocols, and the l.ke^ At 
„ Ses associated with each service > 

a service name, description, type (e.g. HTTP HTTKb 
RP, TELNET, SMTP, Real Networks, and the Hke), and 

SSmO] D evices204arethepolicyenforcers124,126 
is Sedge of a particular local network. Each devce/ 
no £ enforcer preferably includes users 206 and a 
rosL^208thatismanagedb y theponcyenoreen 

mnill T.me 220 is another dimension in controll.ng 
SSI tote network resources. Various time objects 
2 o STenng a range of times may be created and used ,n 

reSablydefinedintermsofobjectsforamoreeffiaent 
and intuitive definition of the policies. Pol.c.es are de- 
2S fined by the administrators and implemented by the pol- 

S enforcers 124, 126 on the network ^^.^ 
Leenthepubliclntemet108andthelocalnetworks102 

ro^ll 4 ' According to one embodiment of the invention, 

. 9 o 9 Each VPN cloud 232 is an individual vmn 
35 or a group of VPNs defining a security policy group 

40 5S T^o^^ - policy enforcer 
hat fe associated with it. The policy enforcers for the 
Stt acl^VPN tunnei endpoints once the hosts under 
nTsL start communicating. These communications 
tre governed by a set of rules 238 configured for each 
45 VPN cloud The rules 238 may govern, among other 
m ^ VPN access permissions and security features 
US as the level of encryption and authentication used 
for the connectivity at the network layer 
r0 0441 The object oriented structure of FIG 2 thus al 
50 Ke network administrators to define poises ,n an 
intuitive and extensible fashion. Such pohott may be 
defined by simply associating resources to the potoes. 
This allows for a policy-centric management model 
^^B^nJ^ 9'ven the impression that a 

forced on Individ^ policy 
enforcers in different locations is transparent to the ad- 
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ministrator. 

,||. POLICY-BASED NETWORK ARCHITECTURE 



ro0451 FIG. 3 is a more detailed schematic block dia- 
gram of the policy server 122 according to one embod- 
M of The invention. The policy server 122 preferabiy 

ized control over the policy enforcers 124, 126 from a 
single console. The policy server 1 22 further includes ^ 
,og collecting and archiving module 304 and a pohcy 
server reports module 316. The log collecting and ar- 
chiving module 304 collects information aboutthe status 

and usage of resources from the policy enforcers 1 24 
126 as well as from the management module 302. and 
stores them in an archive database 31 8. The pol.cy send- 
er reports module 316 uses the collected logs and ar- 
chives to generate reports in an organized reportformat 
[0046] Referring again to the management module 
302. the management moduie 302 preferably , wc ude 
fou sub-moduies aiding in the centralized control, 
namely, a centralized management sub-module 306 
policy managementsub-module308,secure role-based 

management sub-moduie 310, and muftiple site con- 
nectivity management sub-module 31 2. 
100471 The centralized management sub-module 306 
enables a network administrator to install and manage 
individual policy enforcers from a central location. The 
network administrator preferably uses a web-based 
graphical user interface to define the pohcy enforcer's 
network configuration and monitor vanous aspects of 
the device, such as device health, device alarms. VPN 
connection status, and the like. 
r00481 The policy management sub-module 308 pro- 
ves !he network administrator with the ability to create 
policies that span multiple functional aspects of the pot- 
icy enforcer (e.g. firewall, bandwidth management and 
virtual private networks), multiple resources (e.g. users, 
hosts, services and time), and multiple pohcy enforce*. 
T00491 The secure role-based management sub- 
modu e 31 0 provides role-based management to enable 

administrators to delegate administrative res P on,brt, 
tl-to<**a«Wn«n^.Thl.«u^to^^ 
provides for maximum security when it comes to ac 
cessing the management functions. 
roOSO] The multiple site connectivity management 
sub-module 312 allows the network administrator to set- 
up secure communication channels between twc . or 
more remote sites. In doing so. this sub-modute lever- 
ages the central** management sub-module 306 pol- 
S management sub-module 308, dynamic routing ca- 
nities of the pohcy enforcers 1 24, 1 26, and the man- 
agement infrastructure to provide virtual 
works across the enterprise with fine grained access 

nSm FIG 4 is a more detailed schematic diagram 
of the central pohcy management sub-module 306 ac- 
cording to one embodiment of the invent.on. The sub- 



module includes a policy server installation wizar 404 
providing an interactive user interface to aid the instal- 
Enonne policy server122. In this regard, the network 
S trato' has access to a personal computer con- 
5 nSed l to a LAN port of the policy server 1 22 via a cross 
over cable, hub. or the like. The network administrator 
connects to the policy server 1 22 by preferably typ.ng- 
n aURLoftnepolicy server 122 into a standard internet 
browser such as Microsoft Internet Explorer. The URL 
w Serably of theform of »htt P ://<ipaddress>:88/,ndex. 
htm? where <ipaddress> is the IP address that is to be 
assigned to the policy server. The IP address is auto- 
mSly assigned to the poiicy server when the browser 
Attempts to contact the address. When the adm.nistra- 
, 5 persona, computer sends an address resolution 

protocol requestforthe IP address, the pohcy server de- 
fects that a packet directed to port 88 is not cla.med, and 
assumes the IP address. tQ „ atinn 
[0052] Once connected, the policy server instal at,on 
20 wizard 404 invokes the interactive user interface to as- 
sist the administrator in setting up the policy server 122^ 
Songotherthings.the policy server insta..at.on = d 
404 prompts the administrator to specify a server name, 
3p address, and router IP address. Furthermore, 
25 the policy server installation wizard 404 prompts the ad- 
mfnistrator to select one of various default polices for 
S3 g defauitfirewall, VPN, bandwidth, and adminis- 
trator policies. These policies are then "Pjatedo" 
each new policy enforcer registering w.th the policy 

30 [oT53r^ecentra,izedmanagementsub-module306 
Srther includes a policy enforcer Inst 
providing an interactive user interface to a.d the nstal 
E of the policy enforcers 124. 126. As with , the nn- 
35 stailation of the policy se,ver 122 the access tothe^ wiz- 
ard 406 is preferably web-based using the network ad 
ministrator-s personal computer. 
[0054] Once connected, the policy enforcer installs, 
ion wizard 406 invokes the interactive user interf ace to 
40 assist the network administrator in setting up a particular 
Pohcy enforcer 124, 1 26. Among otherthings. the pohcy 
en orcer installation wizard464 prompts the administra- 
tor to specify the policy server IP address, pohcy enfo c- 
er ,P a^ress. and router IP address. The pohcy enforc- 
es e then registers with the pohcy server 122 by invoking 
a URL on the pohcy server with basic bootstrap infor- 
mation of its ow'n. The registration of the policy enforcer 
allows the initialization of the policy enforced data- 
base 132 1 34 with the configuration information, as wen 
so as the monitoring of the polfcy enforced status and 
health bv the policy server 1 22. 
0055] Prior to registering the pohcy enforcer With the 
policy server 122. the network administrator preferably 
pre-registers the policy enforcer on the pohcy server. 
55 such pre-registering allows the creation of a p.acehold^ 
er node on the policy server for the policy enforcer data 
for when the poiicy enforcer does in fact registe In this 
regard, the centralized management sub-module 306 



13 



EP1 143 664 A2 



14 



,„«de. . conW»*» interface 4-0 allowing ft. P» 

cordingto one embodiment w we 

SSL- policy enforcer in— 
network by adding 

rial number, P^^^J^S in step 403. 
the new policy enforcer to a *^J^J 410 in \, okes 

23£3§££S: 

enter . de v«e name 4^5 the adminis- 

tion information 419, ana rum 

]hi match is found, the policy server 1 22 p*Ke«* «» 

file to initialize its conf.gurat.on database, 
base 132, 134, in step 413 thecentra |izedman- 

it^rrrx::;rr m «2reJ 

SS -erf el. « freeh -« 

=sasss==Ssssi 



^ -71 o an n network usage information 71 4. The inf or- 

s co.onrf.osVtSioclorfingo.n^.oeWe.scorceVrfos 

„„,», dpraion, anrf VPN «*c 
mnKQi Referrinq again to FIG. 3, the poucy ma» y 

196 * <j scussed above, an 

time. P eferaD J' d by tne administrator during 

fault policy settings setectedDy admin istrator 

15 the "*TZ2X£L The potiescentraltyviaa 

^2£J E5£SJ« * * e P° ,iC ^ mana9e - 
graphical user ^errace p p0 | icy .centric 

20 impression that a singie . y ser vices across 

""ST^IS ISS i«es»*o «t exempt 

Slo icy server 122 and the policy enforcers 124 126 
tnepo «-y A Dolicy server systems set- 

85 15 "t^»»*.'"e™e7admiewre.c,..vie. 

5 o toVpecify a fist of unauthorized wet .sites 1 16 to , b. 

SSSSSSSs. 

S» be blocked By «< the P°«ev •" ,0 ^ ,s „ n „„ 
by selecting a specific policy enforcer 76° unrfer • 
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tiruiar device qroup 761 . Such information includes sys- 
in o-ation 762, URL blocking informatjon 
Z sTJ list information 766, and the like, that .s spe- 
rfflc'ta theselected policy enforcer. For instance, selec- 
£ of The £Ey enforced URL blocking informa on 
Z icon causes a display of various categories 768 of 
URLs that the network administrator may select to block 
for the selected policy enforcer. 
r00641 Selection of the hosts tab 71 8c causes a ai 
of various hosts (networks) of the^stem as ,s J- 
. ^ cir 10 A host is organized based on us 

1 »vtpmal host the administrator specifies an IP ad 

782 assigned by the administrator. 
[0065] Selection of the services tab 718d cauwa 
Ssplay of various service groups •JP^^ 

S 66] Each -rvioe is associated with a name 784 
description 786, and service type 788 (e.g. HTTP HT 
™? FTP TELNET, SMTP, Real Networks, and the 

in FIG 12 For instance, selection of a work fme group 
100681 Referring again to FIG. 8, the interrac 

Cheeses 



. „ ♦ ,t««iA«/ add and modify the various policies 
fT^S and effectuate the changes 
from the P^e^ i ^ peed t0 

0 :^C^nJ^y in each policy enforcer. 
5 AcVordingtooneembodimentofthe.nventon 

,5 roSl'l Eachfirewallpolicyalsoincludesadescription 
Eute 728 for describing the firewall policy to _be , £ 

Ses wSSr P the1o..cy has been activated or de^ti- 
,!d Thus the networkadministratormay create a pol- 

25 de-activated preferably has no effect on the network 
SS, Each firewall policy further includes 

30 shown) Each of these attributes is preferably represent 

Source root object of the LDAP database 1 30, 132, or 
« 1^731 Preferably, the user attribute 734 indicates the 

,ces anno destination attnbute indi- 

» Stealing an authantteatten achame lor lha poltty (•« 
B p r i 7 "S FI 3,a. an a» W a»a»P.^ 
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mav be defined by simply adding a description of the 
Sy fn a descripiion area 728a, se.ecting an action to 
beaded to the matching network traffic >r .an ac Jon 
box 730a and indicating In an active area 732a whether 
fhe poS fe to be active or inactive. Furthermore the 
Sw'oTadrnlnistrator specifies the user^m* . 

the server database's LDAP tree are suitably 
changed to reflect the addition of the new policy. The 
change is aiso transmitted to the respective po.icy en- 
tceLs is described in furthe- 
rmvrn Referrinq again to FIG. 8, selection ui 
E«Ti allows the display, addition, and 

trator specifies administration polices that detemne 
which users have access to whatf unctions, and for what 
hSps Preferably the administration policies include 
attSes m the firewall rules except for the 

tKs maj be afforded to certain users dependmg on 
their role. 

,V VIRTUAL PRIVATE NETWORK HAVING 
AUTOMATIC REACHABILITY UPDATING 



rno791 Referring again to FIG. 3, the multi-site con- 
Sty moment module 312 allows the creation 
TSmTcally routed VPNs where VPN membership 
IJSnSoLcaly created without statically conf.g- 
u^nq the membership infomnation by the network ad^ 
S^Thus. once the administrator configures a 
^PN mm one policy enforcer's LAN to another £jjQ 
u niPvi or RlPv2 running on the lain 
KSes'a reachable through 
hetTspSve interfaces. These networks then bj 

iSoneitherside of the VPN create membersh.p tables 
uSo the learned routes. The membership informal 
exchanged be ? een the & enfo = 
124, 126 through the LDAP Cabases 132, 134 .Thus 
the combined use of routing protocols and LDAP allows 
the creation of VPNs whose member lists are dynam. 

So7£ring again to FIG. 8, the network admin- 



istratorconfiguresVPNpoliciesformultiplesfteconnec- 

5 270 configured for the system as is illustrated 

fn FIG 13 As described above, a VPN cloud ,s anind 
viduatvPN or a group of VPNs for which a securrty pol- 
S may be defined. Each VPN cloud includes a 1st of 
XTunder a sites node 234 and users under a users 
<0 n de236 an communfcate with each other. 

is a set of hosts that are physically behind one of he 
poly ircers 124, 126. The policy enforcers for the 
sites preferabiy act as VPN tunnel endpoints once the 
hosts under the sites start communicating. 

,5 Sm M5» users in thS VPN C '° Ud ^ f "SI The 
mavaccessthehosts a ssociatedwiththes,tes234.The 

Ss aSs The hosts as VPN clients using VPN Cent 
roSaTe Sld in each user's personal computer as 

Eode 276 including f irewall rules to be app. e I 
me connections in the cloud. The rules may govern^ 
among otherthings, VPN access perm.ss.ons , securOy 
features such as the level of ^rypt-on and authent.ca 

r00831 The hierarchical organization provided by the 
l Z clouds thus allows the network to 

S^^^s=c^ 

Z Z configured based on the configuration spec f.ed 
35 or the VPN cloud. The hierarchical organization thus 
iacimates the setup of a VPN with a large number of 

dertheVPNcloud.Theadministratorthenspecif.es the 

45 SSLS 276 initially includes a defaufi VPN nj. 
?78 corresponding to the policy settings selected by the 
3SS3S«5w during setup of the po I cy server 
12?The default VPN rule 278 allows unrestncted ac- 

978 and adding specific firewall rules to the VPN. sucn 
3irulesaLtheadministratortohavef.negra.ned 

arcess control over the traffic that flows through the 
55 VP Tallin the realm of the encrypted access pjj- 
vTded by such VPN. The firewall rules are appl.ed o the 
cieaS packet after it is decrypted or before * is en- 
crypted. 
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rnoSTl According to one embodiment of the invention, 
InSSects the defauit ru.e 278 to effectu- 

then fine tunes the access 10 ine vm j * 
lewa I rules applicable to the VPN. The parameters m 
Se bewail rL are preferably identica. to the gen- 
eral firewall rules illustrated in FIG. 8. 
roossi Once a VPN cloud is configured, VPN mem 
E3> i— n is dynamical created by the policy 
enforcers 124, 126 in the VPN. In this regard, each VPN 
t te includes a tag identifying the hosts included ,n the 
site At runtime, the policy enforcers 124, 126 for the 

ifvinqthe hosts in each site. This allows the IP address 
es to b" dynamically discovered without requiring state 
configuration of the IP addresses, 
mm After the creation of the membership tables^ 
l any c anges in the routing information is detected and 
noJfied t .the member policy enforcers us.ng a pubteW 
subscribe process. The actualchanges are retrieved by 

particular networkthat corresponds to thechanged rout 

'SETT* is a schematic functional block *, 
cram of po icy enforcers 1 24, 1 26 at opposite ends of a 
VPN iel^pdating their respective « '^rma- 
tton As illustrated in FIG. 15, each policy enforcer 12* 
26 includes a gated module 252, 261 
daemon to run one or more routing protocols for ex 
changing routes on the network. Such routing protocols 
m^ Ede R.PV1, RIPV2, OSPF, and the hke 
Si Whenanetworkadministratorw.shestoadda 

l °ew route to the private local network 1 02 connected to 
™Iv entercer 124, the administrator submits, in step 
P 2 ^the ne^-ufe o a gated module 252 in the policy 
enforcer 124. This is typical* done by configuring , a 

network This information is then propagated by stand 
aXlg protocols to the gated module 252 oUhe p* 
toy enforcer 124. For example, the policy serve 22 
'i publish the new route to the P"^ 
with" which the new route is to be , associated. The mute 
may be specrtied, for example, by an l- DAP stateme ™ 
Tl as "LAN Group@PR1." which specf.es a new 
Jolfmm a policy enforcer PR1 to a LAN named 
SJ SSp Tne gated module 252, in step 242, writes 
£ new route to a kernel 253 of the policy enforcerm- 
dudlnaaVPN driver 254 so that the policy enforcer 1 24 

route. Furthermore, the gated module 252, in step 243, 
writes the new route to its LDAP database 132. 

in turn notifies, in steps 245a, 245b. a VPN daemon 256 



and a policy deployment point (PDP) engine 257 of the 
cntnqeln the LDAP database 132. The PDP engme 
Updates themodu.es that enforce the polices, wrth 

5 SST™. VPN daemon 256, in step 246, uses the 
ou ?narnetoaccesstheLDAPdatabase132togetthe 

cCSe route information, a list of all VPNs to wh.ch 
h °e Tew route belongs, and a list of another pol.cy rout- 
ers connected to those VPNs. In step 247, the VPN dae 
to mon 256 proceeds to send the new route name to each 
nf the other policy routers. 

mo94] When policy router 126 receives a new route 
name from policy router 124, its network daemon 258 
Hep 248 accesses the LDAP database 132 m the 
,5 seSng Po cy router 124 to obtain the comp.ete new 

one VPN and. has different parameters for the d ff erent 
VPNs, routers on the different VPNs retr.eve > different 
information corresponding to the J"*^™^ 
20 [0095] in step 249, the network daemon 258 wrrtes 
he new route information obtained in its own LDAP da- 
abasTl34 and provides itto itsownDNMonitormodule. 

^ 259 in the receiving policy router 126 provides the 
25 ^w?ute.nfom 1 ationtoff S PDPengine260forupdat 1 ng 

its kernel 265 with the latest changes. 
roogeT Although FIG. 15 has been described in con- 
En with addition of a route to a policy enforcer and 
isolated VPNs, it should be readily apparent to 
so hosSed in the art that essential* the same tech- 
nioues may be applied to deletion of a route (for exam- 
2 I a^Lorkcomponent becomes inoperahve or m- 
P cornmunS. or change of a route (the policy router 
Z recognize that a route already ex B ts,adto 
35 form and simply overwrite it). In this way, the VPN sys 
tern oTsystemVcan dynamically maintain routing ,n or- 
ation between its policy enforcers with minima, .nter- 
vention by the system administrator. 



40 V. VIRTUAL PRIVATE NETWORK HAVUaG 

AUTOMATIC UPDATING OF CLIENT REACHABILITY 
INFORMATION 

r00971 Remote users communicate overthe public ln- 
45 E 108 wrth the other members of the VPN behind 
po cy enforcers 124, 126, upon presenting appropriate 
credentials These remote users access the pnvate net- 
wo*s * VPN Sents 140 using a VPN client software. 
Iccording to one embodiment of the invention, the sys- 

executable which, upon execution, installs bo htheVKN 
cSttoftware and SpN reachability information unique 
to the remote user in the user's remote term.na . 
°0u98 Eachpol^enforcerlZ^lzep^ma^ 
55 ains acopy of the self-extracting executable of the VPN 
d ent soSare including a setup program and VPN 
?eachab°lity configuration template. The setup program 
a^ws the VPN client software to be installed on the 
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VPN client 140. When downloading the self-extracting 
executable, the configuration template is replaced w.th 
the VPN reachability information that .s specrt.c to the 

downloading user. . <J u.«i- uo „ 
[0099] Accordingtoanotherembod.mentofthe.nyen- 

ion the system allows the VPN client 140 to download 
a self-extracting executable which, upon execut.on, only 
Sis the VPN reachability information that .s un.que 

A^rdTngto this embodiment, the VPN client software 
£aLdy installed on the VPN client 140 In th.s ^sce- 
nario, the setup program allows the installation of the 
reachability information that is specific to the download- 
inq user, on the VPN client 140. 
[0100] According to a third embodiment of the .nven- 
ion the system allows the VPN client 140 to automati- 
cally download the VPN reachability infomiatoon each 
time it connects to the policy enforcer 124 126. Thus 
VPN reachability information is kept up-to-date for each 
VPN client 140. Once a VPN session is established, he 
connection between the VPN client 140 and the p*» 
enforcer is assumed to already be secure. The VPN cl. 
ent preferably makes a common gateway mterface 
(CGI) query to a web server running on the pol.cy en- 
orcer and downloads the current VPN reachabilrty ,n- 
formation from the corresponding LDAP database^ 
r0101l FIG. 1 6 is a block diagram of components in a 
self-extractingexecutable 290 according to one embod- 
iment of the invention. The self-extract.ng executable 
290 may be created using commercially available tools 
such as the INSTALLSHIELD EXEBUILDER of In- 
stallShiled Software Corporation of Schaumburg, llli- 

raiOZl The self-extracting executable 290 preferably 
ncludes an executable setup file 292 for installing he 
VPN client software and/or the VPN configuration mfor- 
mation. The setup file 292 preferably forms a static por- 
tion 298 of the self-extracting executable since th* n- 
formation does not change based on the 
VPN client. The self-extracting executable 290 further 
includes VPN configuration file templates for the VPN 
ea hability information 294 and the VPN clients ; pre- 
shared key information 296. The VPN reachab.hty infor- 
mal 294 and the VPN client's preshared^ 
Trably form a dynamic portion 299 of the self-extract.ng 
executable 290 since this information changes based 
on the downloading VPN client. The self-extractmg ex- 
ecutable 290 is then saved as a template file in the pol.cy 

enforcers 124, 126 and is ready to the downloaded by 
the remote users. 

T01031 FIG I7isafunctionalblockdiagramfordown- 

cordingto one embodiment of the .nvent.on. In step 320, 
a new VPN client 140 first establishes a secure commu- 
nication session with the policy enforcer 124 126 to 
download the self-extracting executable 290. Prefera- 
bly. this is accomplished via an HTTPS protocc , sess.on 
on the VPN client's web browser or the l.ke. In steps 322 



and 324. the policy enforcer engages the VPN client .n 
an authentication procedure where the policy enforcer 
requests, and the VPN client provides, his or her user 
name and password. In step 326, the policy enforcer 
5 compares the provided information with entries b£ 
VPN client database 328. If the informat.on .s correct, 
the policy enforcer finds appropriate preshared I keys ; for 
he user and in step 330, also determines the VPN 
reachability information of the clientfrom a i VPN I conf.g- 
10 urationdatebase332.TheVPNclientdatabase328and 
VPN configuration database 332 may reside as part of 
a single LDAP database 312, 31 4 managed by the , oU 
icy enforcer 1 24, 1 26, or may constitute separate LDAP 

databases. . 
15 [0104] in step 334, the policy enforcer replaces the 
dynamic portion 299 of the self-extracting executable 
290 with the VPN reachability information and pre- 
shared key that is unique to the VPN client. The newj 
generated self-extracting executable is then download- 
so ed to the VPN client 140 in step 336. When the execut- 
able is run, fteitherinstallstheVPNclientsoftwareand/ 
or the VPN reachability information. 
[0105] Similartechniquesmayalsobeusedfordown- 
loading a new and updated copy of the VPN configura- 
25 tion information to the VPN client each t.me the cfient 
connectsto the policy enforcer and negotiates a session 
key. In addition, the user may obtain the latest conf.gu- 
rafion of the VPN network by expressly request.ng the 
pclicy enforcer for such information. Thus, the VPN d.- 
30 ent need not be reinstalled and reconfigured each time 
updates are made to the VPN reachability mformat.on. 



VI. INTEGATED POLICY ENFORCER 



35 [0106] According to one embodiment of the invention 
he fulctionalitiesofthe policy enforcer 124, 126 for pol- 
icy enforcement are partitioned for effective hardware 
implementation. However, it should be apparent to one 
skSed in the art that some or all of the functionalrt.es 
40 may be implemented in software, hardware, or var.ous 
combinations thereof. 

[01071 FIG 18 is a schematic block diagram of the 
policy enforcer 124, 126 illustrating the partitioning of 
the various f unctionalities according to one embod.men 
45 of the invention . The policy enforcer includes an Internet 
protocol security (IPSec) engine 502 for pert orm.ng se- 
curity and authentication functions in implementing for 
instance, virtual private networks. A stream table 506 
assembles the packets passing through the pol.cy en- 
50 forcer into streams. A protocol classification eng.ne 508 
decodes the protocols used in forwarding the packet^ 
A policy engine 510 enlorces policies for the packets 
based on the policy settings stored in *e policy date- 
base 132 134. A packet forwarding module 504 re- 
55 ceives packetsf rom the public Internetviathe router 11 0 
and buffers, forwards, or drops the packets based on 
the policies being enforced. A bandwidth management 
module 51 4 provides bandwidth shaping services to the 
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donation IP, source port, destination port, and proto 
col number of the incoming packet. 
mMI The protocol classification eng.ne 508 takes 

each connection allowed through 
packe, flowing ^ *^^^£Lh 
m0 du.e ^^Z^Tetxat^ module 512 
ITfoS th oS i«d information to the policy 
SSJSSS entersthe information -h-J** 



group in its group-based form instead of instantiating a 
[01131 A decision eg ^ ^ 

?„ the o*y rules database buffer 608 based on the ac- 

-Kite 

cir ?0 the protocol classification engine 508 includes 
/ 1 data assembly 702, a sliding stream data w.n- 
ITZ VSmS* 706. a protocol ciassification 
dow 704, an AbiN_ ^ sjgnature 

25 state machine 708, ana a pivi e . lu 702 extra cts 
. .. l. „7in ThP stream data assembly ivz wuawo 

* d*i«on signature «W ' ™- ™ 0 data 

=£53S=S 
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Generator (PRNG) function 802 tor generating random 
numbers used for cryptographic key generation accord- 
ng to "Sol nlethoV A Diffie Hel.man 804 and 
rIa 812 blocks implement the corresponds asym- 
mefric ub.ic key 

rithms which are also well known in the art. An IKE block 
SoeTmmunicates with an IPSec SA table ,«* for ,m- 
nlementing standard ISAKMP/OaWey(IKE) key ex 
change ^^plcols. Acryptographictransformsb.ockSIA 
Sme'ts standard symmetric encryption/decryption 

SSS^S^ b ,ck 810 performs 
standard encapsulation/decapsulation functions ^ Ac- 
cordSy, the IPSec engine 502 provides mature stand- 
ards based IKE/IPSec implementation w.th public key 
SrfSesupPortandnecessaryencryp^^ 
tonality for packets passing through the private lo- 
cat networks 102, 104. 

VII. NETWORK POLICY LOGS AND STATISTICS 
AGGREGATION 



20 



[01171 ReferringagaintoFIG.3,thelogcollectingand 
archivngmodule304collectsinformationaboutthesta- 
tus and usage of resources from the policy enforcers 
124 ?26 as well as from the management module 302, 
and stores them in the archive database 31 8. The policy 
Shorts module 31 6 then uses the collected Jogs 
and archives to generate reports in an organized report ^ 
ioml Accordingtooneembodimentofth^vention . 

each policy enforcer 124, 126 maintains a log file with 
mCnrnln collected aboutthef.ow of traffic throughthe 

X enforcer as well as the status and usage of e- 
sources associated with the policy enforce . AM the log 
?iles follow a predefined common log format, preferably 

Son Each log entry includes a timestamp 820 in the for 
mat y^mddhhmmss, indicative of the year morrth. 
SeTouTs minutes, and seconds in which the log entry 
l\rTed. A service field 822 indicates the *p e o 
service rendered by the policy enforcer 124, 126 Such 
se^ ces include VPN, FTP, Telnet, HTTP, packet .Iter 
bandwid h and the like. Each log entry further includes 
a source lP address and port 824 indicating the source 
"rom where a packet was received, as well as a dest, 
nar.Paddre P ssand P ort826indicatingthedest,nat 1 on ^ 

to which the packet was forwarded. 
[0120] A user ID field 828 identifies the 
tin!, the oacket The user ID may be mapped to an entry 
Se LdTp datLase 130, 132, or 134for obtaining ad- 

ditional details about the user. 
m»] AstatusfieldeSOindicatesthestatusofanop^ 

eration and may include a result code, error code and 
Se like For example, for a packetf.lter service, the sta- 
r u sfSmayTnc,udearesuUcodeVifthepacketwas 



nassed or code "b" if the packet was blocked. 
m£ An operation field 832 indicates codes tor a 
of opeion conducted by the service. For • . n- 
stanceoperationsforaVPNservicemay include send- 
To packets and receiving packets. Operates for an 
SS2£ may indude GET and PUT operattons. Qj- 
erations for an HTTP service may include GET and 

[0°Srrn1dd n ition to the above, each log entry in- 
S de an in-bytes field 832 indicative of the number « 
bvtes the policy enforcer received as a result of the ac- 
S Ian out-bytes field 834 indicative of the number 
of bytes transferred from the policy enforcer. Further- 
more, a duration field 836 indicates the duration (e.g. m 
seconds) of the activity. . 
[0124] Certain fields of a particular log entry may be 
eft blank if not applicable to a particular service. Fo m- 
ste n« for an FTP download. Where there is no outgo- 
?na Sic the out-bytes field is left blank. Furthermore 
XoTai fields may be added based on »e , jgrf 
service being logged. For instance, for an HTTP activiiy. 
Z M 3is accessed is also logged in the log entry 
The Additional fields are preferably appended to the end 
of the standard log format. 

roi25] Apersonskilledintheartshouldrecognizethat 
additions Seletions, and other types of mod* cations 
may be made to the log format without departing from 
Z split and the scope of the invention as long as the 
Tog S common to all the policy enforcers and , 
aimed in creating compact logs. 
mm The log files created by the policy enforcers 
? 2 4 i26^e transferred to the policy server 122 based 
onarchiveopt^^^ 

the etwork administrator specifies a thresholc lm» ior 
he logs created by the policy errforcers upon selection 
of the policy server archive option 752 of FIG. 9 When 
the log file exceeds the specified size, ,t is sent to the 
policy server 1 22. Preferably, the logs are transferred to 
tL noiicv server 122 at least once a day even if the 
SreshSstee has not been exceeded. The logs may 
S be archived locally at the policy enforcer rf so spec- 
ified by the network administrator. ,u aWw - 
r0127l Once the policy server 122 receives the logs, 
KredTnThe archive database 31 8 preferably taking 
he fol ol an SQL database. The policy server reports 
modute 316 queries this database to generate reports 
for each ,£* enforcer 124, 126. In addition, the logs 

commercially available products such as WEBT 
RENDS, manufactured by WebTrends Corporation of 

[oT^'STortscreatedbythe reports module316 

e including policy enforcers, users, services hoste 
and VPNs. For instance, the reports may include VPN 
summary reports, bandwidth summary reports, packet 
merTeports and the like, for each policy enforcer 
[0129] The reports preferably show usage of each of 
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the resources over a period time. The start and the nd 
date for the report may be specified by the user, ne 
usS may further drill down on the time dimension and 
on theTesource dimension for viewing specific times 
and specific resources. For instance, in creating the 
oackeXr reports, the user may indicate a start and 
eStime source IP address, source port, destination IP 
addreT S anddestinationport.Allpacketsmeeta 1 gthe S e 

crfena are then fetched from the archive database 318 
and shown in a packet report. 

VIII. METHOD FOR SELECTIVE LDAP DATABASE 
SYNCHRONIZATION 



roisol According to one embodiment of the invention, 

firewall VPNs, bandwidth, administration, user records^ 
Sk records, services, and £-£££22 
above the LDAP directory service model is basea on 

tries are arranged in a tree structure that follows a ^geo 
a aohical and organizational distnbut.on. Entnes are 
'named according'to their position in the hierarchy by a 

cy management information for all the policy enforce s 
in tnTpScy server database 130. This information is 
oraanizedTn the databases 130 as one or more DNs 
wtth coSsponding attributes. Appropriate portions of 
S poS server database are then copied to the policy 

SSTSSS "^diagram of an LDAP tree 
Sure including an LDAP root 265 and a pluralrty of 
structure inci a According to one exam- 

m branch., 264 .nd 266 

SLSm«^»/«6*p»»C»6 rt ^026 
Q<ora hiv/ relates to the configuration information tor 
ESS eloper as well as some additional inf orma- 

ton about the other policy •^■^SSSS 
formation is used to communicate with the other policy 

m33T rS The policy server 122 may further maintain 
2 S storing information used only by the appli- 
Sot runntg on he server and not shared with any 

ers 1 24 1 26 may maintain a portion of branch 268 con 
Sring information used only by the ■ -PPj-«» on 
each of the policy enforcers and not shared elsewhere 
Tvta W the data stored in branch 268 is dynamicaHy 
g y eneSd and used by the applications running on the 



ErS^^X* only included in the 

^^^^ 

2 the various graphical user interfaces described 

database 1 30 where the corresponding DN of the LDAP 
Jee is added, deleted, or modified. The policy server 
^furthercreatesalogofthechanges and stores hem 
!nbranch270for iater distribution to the policy enforcers 

15 m^Bl 26 FIG 24 is a more detailed block diagram of 
branch 27 of the LDAP tree of FIG. 23. The LDAP root 
265 ncfudes an App.yLog 270a entry which -nturr un- 
cludes a user log entry 270b and a device log entry 270a 
20 The user tog entries include specific administrator tog 
IntriestdenSfied by specific DNs 270d for reflectrng the 
chano.es made by the particular administrators. The de 
le Too enS 270c includes specific device log entries 
TnSd by specific DNs 270e reflecting the changes 

to one embodiment of the invention. In step 420, e i par 
S network administrator makes a policy settng 
chlge According* one example, the 
ss administrator "adm" working in the domain domaml 
an d the chanqe is the addition of a new user on a device. 
mSl M step 422, the change made the Mrta- 

S?L 9 created is named "A_L1 « the policy server 
XpdatestheDN270dfor»adm»at-doma,n1 tocre- 

ate an attribute "apply" 270f that has the value A_L1 
administrator's log DN 270d. 

T01391 In step 428, the policy server 122 checKs 
55 52* the changes made by the 

be propagated to the appropriate , policy enforcers 124, 
126 As discussed above, the changes are Preferably 
pSpaTated upon actuation of an apply button from the 
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administrator's graphical user ^ 

101401 m ^Z£E^&~ 
icy ser yer ""^J*™* ^transmitted, in this 

Eli The changes suitably modified for each policy 
t JinAP are then stored in a dev.ce log. Each 
enforce^ LDAP ™™ then modified to reflect 

=S=sr=ras 

tree. In step 434, tne cnduy 

enforcer, as reflected in the values 270] 270k ot tne p 
tabase 1 32, 134. The changes are sentto the policy 

,X. STATE TRANSITION PROTOCOL FOR HIGH 
AVAILABILITY UNITS 

[01441 Accordingtooneembodimentofthei^ 



availability by maintaining a backup unit in addition to a 

SS? "FIG 26 is a schematic block diagram of a high 
KUsyLm.nc.udingaprimaryun.^anda 

i 908 are conventional components that are com- 

resoectively. These components 910, 912, 914 may o 

Sch unit is preferably connected to the same compo- 

noS ^communications between them Jhepn- 
P Z u„S 902 and the backup unit 904 preferably com- 
Scaewfh each Mother viaTCP packets overthe high- 

• SS££ 

miMl The primary unit 902 is preferably responsible 
or failures. For example, if the pnmary unit 902 detects 

„ upon defining M the ""f^Si 
Reives a request Irom'the primary unit 902 to rel.nqu.sh 

,.nit QfU is ud and running, it connects to tne puma y 
r« IS •» con~e.cn Is made, tne uckop - 

-i „ A^ 00 n Alive® packet including a 
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SSTS. Primary unit 902 responds .to the "Keep 
lle p^Uo*e sender. If the backup unit 

^XVsenttotheadrnimsuatorind^ngthatthe 
SSf may arse when both the primary 

£ MWMM ifcrmtoMW. protocol ol Mot. h«h 

for a primary unit and inquires, in step 936, whether < » 
in step 942, unit X searches the network for a 
stand-alone unit in step 948. 



mittl Once the primary and secondary units have 

. Sation is preferably stored "-^ M> «*~ 
such as the central policy server database l du o p 

far and the apply back to the pnma* unt. 
mi wn In step 956, the primary unit is checKea xu u« 
eSe whe her it is functional. If it is, the primary umt 

■mm 

-mmm 

35 mm Accordingtooneembodimentofthelnventior, 
Ere Sates on the primary and backup unjjw 

up units senally in a single cy admin istrator 

unit with the same information as the primary unrt 
roiMl FIG- 29 is an exemplary flow diagram of updat- 
ing primary anc ~£tSr.SS 
45 functional. In step 970^ is sent/trans- 

» no, luo«MMn »'^ 7$ ^ n „ e i K mi** 
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unit instead of the primary unit. In step 982 the backup 
management statin an ^ becomes 

to the primary unit for upgrading in step 986. The primary 
unit then updates itself in step 988. 
^63] Although the present invention has been de- 
Sd in detail with reference to the preferred ambMh 

Ss substitutions and modifications can be made o 
^ examples described herein while remaining within 
the sptTand scope of the invention as defined n the 

E'lortample, the unified policy management 
1 !2, off G 1 Thou d be viewed as illustrative rather 

art who are enlightened by the P^*™^£ 
manv alternative configurations are possible. For exam 
r^arbeaddLalnetworkswithpoHcyenforc- 

P e S o no adiiona. networks at all. « P°<^ - 
forcers may not necessarily access the pohcy sewer 
° h oughThe internet, but may be oon^-^JJ 
Vic as a WAN MAN, etc. In short, the number 
ZZ^sZ .sources within and without the 
organization can vary greatly while staymg within the 
scope of the invention. 



Claims 



databasesareorganizedaccordingtothehierarchi- 
cal object oriented structure. 

The svstem of claim 1 , wherein the conf iguration in- 
formation includes the first and second pohcy set- 
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1 A system for managing policy services in an wgaj- 
fzation the organization including a first network 
hSaflrstsetof resources and a second network 
remote from the first network having a second set 
of resources, the system compnsing: 

a first edge device associated with the first net- 
work, the first edge device configured to man- 
age policies for the first network and the first £ 
of resources in accordance with first policy set- 
tings stored in a first database; 
a second edge device associated with the sec- 
ond network, the second edge device c«*g- 
uredto managepoiiciesforthe second network 

and the second set of resources in accordance 
with second policy settings stored ,n a second 
database; and a central policy server defining 
thefirst and second policy settings and manag- 
ing the first and second edge devices from a 
single location, the central policy server being 
associated withacentral database stonngcon^ 

figuration information of the first and second 
edge devices, wherein the central database » 
organized according to a hierarch.calob,ect or, 

ented structure. 
2. The system of claim 1 , wherein the first and second 



» The system of claim 3, wherein the hierarchy ob- 
ect oriented structure includes a plural ty of re- 
source objects and policy objects for defining the 
first and second policy settings. 

5 Thesystemofclaim4,whereinthecentraldatabase 
andthefirstandseconddatabasesareUghtweght 
Directory Access Protocol (LDAP) databases stor- 
SjSh resource object and policy object as an 
LDAP entry. 

G The system of claim 4, wherein the resource objecte 
IJe selected from a group consisting of devices, us- 
ers, hosts, sen/ices, and time. 

7 The system of claim 6, wherein the devices include 
Ihe fSand second edge devices, each device be- 
Tg associated with a set of users and a particular 
host. 

8. The system of claim 6, wherein the hosts include 
the first and second networks. 

o The system of claim 4, wherein the policy objects 
«? selected from a group consisting of bandwidth 

SSKSJSLSn. «* virtual private network 

grouping. 

10 The system of claim 9, wherein the virtual private 
neS grouping includes a virtual private ne^ork 
associated with one or more sites, users, and rules. 

11 The system of claim 10, wherein each site ^includes 
one or more networks behind an edge device. 

12 The system of claim 1 0, wherein the rules are fire- 
wa»2s providing access control over network 

45 Sic flowing through the virtual prfcate network. 

13 in a system including a first network having a first 
set o? resources and a second network remote from 
£ first network having a second set of resources^ 
Z first network being associated wrth a first edge 
Lice and afirst database. ^^ 6 ^ a 
being associated with a second edge device and a 
sSnd database, the system further including a 
cSTal policy server in communication wrth the first 
and s condldge devices, the central Po'-^ryer 
being associated with a central database, a method 
Sanagingpolicyservicesinthesystemcompris- 

ing: 
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23. 



10 



15 



20 



storing configuration information of the first and 
second edge devices in the central database, 
the central database being organized in a hier- 
archical object oriented structure; 
storing first policy settings in the first database; 
storing second policy settings in the second da- 
tabase; managing policies for the first network 
and the first set of resources from the first edge 
device in accordance with the first policy set- 
tings stored in the first database; 
managing policies for the second network and 
the second set of resources from the second 
edqe device in accordance with the second pol- 
icy settings stored in the second database; and 
defining the first and second policy settings and 
managing the first and second edge devices 
from the central policy server. 

14. The method of claim 13, wherein the first and sec- 
ond databases are organized according to the h.er- 
archical object oriented structure. 

15. The method of claim 13, wherein the configuration 
informationincludesthefirstandsecondpolicyset- ^ 

tings. 

16. The method of claim 15, wherein the M*™*" 
object oriented structure includes a plurality of re- 
source objects and policy objects for defining the ^ 
first and second policy settings. 

17 The method of claim 16, wherein the central data- 
base and the first and second databases are Light- 
weight Director Access Protocoi (LDAP) databas- 
^storing each resource object and policy object 35 
as an LDAP entry. 

18. The method of claim 16, wherein the resource , ob- 
jects are selected from a group consisting of devc- ^ 
es, users, hosts, services, and time. 

19. The method of claim 18, wherein the devices in- 
clude the first and second edge devices, each de- 
vice being associated with a set of users and a par- ^ 

ticular host. 

20. The method of claim 18, wherein the hosts include 
the first and second networks. 

21 . The method of claim 1 6 , wherein the policy ^objecte 
are selected from a group consisting of 
firewall, administration, and virtual private network 
grouping. 

22. The method of claim 21 , wherein the virtual private 
network grouping includes a virtual private ne^ork 
associated with one or more sites, users, and rules. 



The method of claim 22, wherein each site includes 
one or more networks behind an edge device. 

The method of claim 22, wherein the rules are fire- 
wall rules providing access control over network 
traffic flowing through the virtual private network. 
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